Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Lawsuit Alleges Disney Illegally Tracks Children Via Apps

Following a class action lawsuit, Disney is fighting allegations this week that its apps fail to safeguard children’s personal information.

The Walt Disney Company is fighting allegations this week that its apps fail to safeguard children’s personal information. The move follows a class action lawsuit brought against the company and four others who produce the apps.

According to the complaint (.PDF), Amanda Rushing and her child filed the lawsuit on Thursday in the San Francisco/Oakland division of the United States District Court on the behalf of themselves and others. The suit claims the defendants, The Walt Disney Company, Disney Electronic Content, Upsight, an analytics and marketing platform for mobile apps, Unity Technologies, a video game developer, and Kochava, a mobile analytics platform, violated the FTC’s Children’s Online Privacy Protection Act (COPPA).

The plaintiffs allege that Disney is tracking users, including those under the age of 13, via apps across the internet via a series of specialized advertising software development kits, or SDKs.

The SDKs, embedded into the app’s underlying code, siphon up data such as device personal identifiers associated with children. That information of course is traditionally sold to third parties to create behavioral profiles and advertising schemes.

This is especially the case for Disney Princess Palace Pets, an app for Android and Apple devices made by Disney and is at the crux of the lawsuit.

Rushing claims her daughter, referred to as “L.L.” in the class action suit, used the app while under the age of 13. The lawsuit alleges the game, which lets users “groom, bathe, accessorize, and play” with 10 different pets, is clearly marketed towards children under that age.

The lawsuit goes on to allege that Disney and the defendants collected personal information belonging to children without their parents’ permission. There were no disclosures or mechanisms on the app that prompted the plaintiffs to give their consent, it adds.

“By affirmatively incorporating the SDK Defendants’ behavioral advertising SDKs into their child-directed apps and permitting them to track children by collecting, using, or disclosing their persistent identifiers without verifiable parental consent, Disney violated COPPA,” the lawsuit states.

Disney Palace Pets wasn’t the only app allegedly guilty to tracking users. A slew of nearly 50 other apps such as the Disney Princess: Charmed Adventures, Club Penguin Island, and Disney Emoji Blitz, also contain behavioral advertising SDKs maintained by companies like Upsight, Unity, and Kochava, that “operate in a substantially similar manner,” the lawsuit states.

Michael Sobol, an attorney with Lieff Cabraser Heimann & Bernstein LLP and the author of the complaint, writes that in addition to violating COPPA, Rushing views Disney’s actions as highly offensive and an invasion of her child’s privacy.

The Walt Disney Company, in a statement supplied to Threatpost Monday night, said it disagrees with the suit and that it plans to fight it in court.

“Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court,” Disney said.

The lawsuit isn’t the first to hit Disney.

Playdom, a social gaming startup acquired by Disney back in 2010, was forced to pay a $3 million civil penalty for collecting information from hundreds of thousands of children gathered from virtual world websites in 2011. That sum was just a drop in the bucket for Disney; the company had paid over $763 million to acquire Playdom just months before agreeing to the settlement.

The Center for Digital Democracy called out Disney in 2013 after its MarvelKids.com website failed to secure parental consent from children under 13 before tracking and collecting personal information about them.

Disney said at the time it collected that personal information – in some instances their location and persistent identifiers – for internal purposes but that reasoning didn’t cut it for the CDD, which filed a complaint with the Federal Trade Commission in December that year. Disney updated the site’s privacy policy shortly after but it still wasn’t enough in the eyes of the center, which filed a follow up complaint in March stressing the company needs to do more to empower parents and protect children’s privacy.

This article was updated at 8:30 p.m. EST with a statement from the Walt Disney Company.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.